California enacted the California Electronic Communications Privacy Act on October 8, 2015. This privacy legislation now requires California government entities to obtain a search warrant before obtaining or accessing electronic information, with limited exceptions. The Act’s protections, enforceable by companies and individuals, extend to service providers storing any information about an electronic communication, the use of an electronic communication service, and any information stored or generated through the operation of an electronic device, including both content and metadata. This impacts data stored on smartphones, tablets, laptops and other electronic devices, and protects all manner of electronic information, including emails, digital documents, photographs, passwords, geolocation data, and IP addresses.

On Thursday, October 8, 2015, California Governor Jerry Brown signed into law the Electronic Communications Privacy Act (the “California ECPA”). This legislation, which takes effect on January 1, 2016, has been heralded by privacy advocates and a number of technology companies as a welcome modernization of California privacy law. The California ECPA has broader privacy protections than the federal Electronic Communications Privacy Act (the “Federal ECPA”), which has been widely criticized for its failure to evenly protect various forms of electronic information from government intrusion and for using outdated concepts of electronic privacy. In contrast to the Federal ECPA, the California ECPA requires a search warrant to compel production of or access to sensitive information like emails that have been stored on a server for more than 180 days, detailed location information generated by electronic devices, and sensitive metadata relating to user’s electronic communications.

What Information is Protected by the California ECPA, And How Does it Impact the Federal ECPA?

The California ECPA prohibits government entities from:

compelling the production of or access to electronic communication information from a service provider;

compelling the production of or access to electronic device information from any person or entity other than the authorized possessor of the device; or

accessing electronic device information by means of physical interaction or electronic communication with the electronic device (except where electronic communication information is voluntarily disclosed by the intended recipient of an electronic communication).

Critically, “electronic communication information” is defined as including “any information about an electronic communication or the use of an electronic communication service.” This includes both content and metadata, and the California ECPA explicitly references its application to certain classes of metadata commonly sought by law enforcement, including user geolocation data and IP addresses. Similarly, “electronic device information” is defined broadly to include “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.” Thus, the California ECPA impacts private electronic communications such as emails, text messages and GPS data that are stored in the cloud and on devices such as smartphones, tablets, laptops and other digital devices.

The California ECPA does not impact federal law enforcement demands for information; the Federal ECPA still governs their demands.

What Information is Not Protected by the California ECPA?

The California ECPA explicitly exempts certain state investigative tools, when used for specified purposes, from its prohibitions. More specifically, the California ECPA does not prevent state law enforcement from using administrative, grand jury, trial, or civil discovery subpoenas to:

require an originator, addressee, or intended recipient of an electronic communication to disclose any electronic communication information associated with that communication;

require an entity that provides electronic communications services to its officers, directors, employees, or agents for the purpose of carrying out their duties, to disclose electronic communication information associated with an electronic communication to or from an officer, director, employee, or agent of the entity; or

require a service provider to provide subscriber information. “Subscriber information” is defined as “the name, street address, telephone number, email address, or similar contact information provided by the subscriber to the provider to establish or maintain an account or communication channel, a subscriber or account number or identifier, the length of service, and the types of services used by a user of or subscriber to a service provider.”

How Can the Government Compel Disclosure of California ECPA-Protected Electronic Information from Service Providers and Third Parties?

Government entities may compel the production of or access to electronic communication information (from service providers) or electronic device information (from an individual other than the authorized possessor of the device) only pursuant to:

a search warrant, wiretap order, or order for electronic reader records; or

a subpoena issued pursuant to existing state law, provided that the information is not sought for the purpose of investigating or prosecuting a criminal offense, and compelling the production of or access to the information via the subpoena.

How Can the Government Access California ECPA-Protected Device Information on an Electronic Device?

The California ECPA also limits the situations in which a government entity may access electronic device information via physical interaction or electronic communication with an electronic device, such as a smartphone. This type of access, relevant to both businesses and consumers, is only permitted where the Government entity:

obtains a search warrant or wiretap order;

obtains consent of the authorized possessor of the device, or the consent of the owner of the device, when the device has been reported as lost or stolen;

believes, in good faith, that an emergency involving danger of death or serious physical injury requires access to the electronic device information; or that the device is lost, stolen, or abandoned, in order to attempt to identify, verify, or contact the owner or authorized possessor of the device.

May a Service Provider Voluntarily Disclose Protected Information to California Officials?

Yes. The California ECPA does not restrict services providers’ ability to voluntarily disclose electronic communication information and/or subscriber information. Consequently, it does not appear that the California ECPA impacts a user’s consent to the disclosure of information pursuant to a service provider’s privacy policy. However, it does restrict how state entities may use electronic communication information voluntarily disclosed by service providers – the electronic communication information must be destroyed within 90 days, absent an applicable exception. There is no such deadline for voluntarily produced subscriber information.

Is There a Private Right of Action Against Service Providers for Disclosing Electronic Information Pursuant to the ECPA?

No. The California ECPA provides that corporations, as well as their officers, employees, and agents, “are not be subject to any cause of action for providing records, information, facilities, or assistance in accordance with the terms of a warrant, court order, statutory authorization, emergency certification, or wiretap order” issued pursuant to the California ECPA.

Who May Enforce the California ECPA?

The California ECPA authorizes the enforcement of the Act by any individual whose information is targeted, as well as by a service provider or other recipient of a search warrant, order, or other legal process seeking the disclosure of electronic information.

Further Implications

Given the rapidly changing and fragmented legal landscape, companies who receive government requests for access to electronic information are likely to benefit from legal counsel. These issues are increasingly complicated and are impacting an ever-wider range of businesses as companies expand their collection of customer information.